Simple query doesn't work

[keny2021]

Hi guys, I'm trying to create a rule in elastalert with a simple query and nothing seems to work. I have a created a new index in kibana and every 5 minutes it creates this output when a machine is at 100% CPU: `

Apr 3, 2021 @ 12:51:16.293	alert_date:Apr 3, 2021 @ 12:51:16.293 alert_id:24552320-92b4-11eb-8efd-f12d1f97a6d4 alert_instance_id:**-*- alert_state:ALERT context_reason:system.cpu.total.norm.pct is greater than a threshold of 90% (current value is 100%) context_value:{"condition0":"100%"} _id:2BYkl3gBM84OhRZn0x5M _index:metric-alerts _score: - _type:_doc

` I've tried multiple rules search queries and this is my last version, trying to set up an alert for each of the above outputs, using the term "ALERT":

name: query metric alerts

type: any

index: metric*

filter:
- query:
    simple_query_string:
      query: "ALERT"

alert:
- "slack"

slack:
slack_webhook_url: "https://hooks.slack.com/services/**********"

 (required, email specific)
"example_rules/query_metric_alerts.yaml" 29L, 455C

When I run the rule all I get is this:

# python3 -m elastalert.elastalert --verbose --rule query_metric_alerts.yaml
1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999908 seconds
INFO:elastalert:Queried rule query metric alerts from 2021-04-03 05:42 EDT to 2021-04-03 05:57 EDT: 0 / 0 hits
INFO:elastalert:Ran query metric alerts from 2021-04-03 05:42 EDT to 2021-04-03 05:57 EDT: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Background configuration change check run at 2021-04-03 05:57 EDT
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-04-03 05:57 EDT
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999809 seconds
INFO:elastalert:Queried rule query metric alerts from 2021-04-03 05:43 EDT to 2021-04-03 05:58 EDT: 0 / 0 hits
INFO:elastalert:Ran query metric alerts from 2021-04-03 05:43 EDT to 2021-04-03 05:58 EDT: 0 query hits (0 already seen), 0 matches, 0 alerts sent

Slack alert is working properly, I have tested it.

Any thoughts? Many thanks

[nsano-rururu]

I don't think there is a "simple_query_string". Isn't it a mistake of "query_string"? Where were you on?

[keny2021]

I have tried "query_string" as well - not even 1 hit.

"Simple_query_string" comes from here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html

[nsano-rururu]

There is no such thing as simple_query_string

[nsano-rururu]

I don't think elastalert supports it.

[nsano-rururu]

elastalert is not maintained

[nsano-rururu]

alert:
  - "slack"
alert_subject: "Test {0} 123 {1} aa"
alert_subject_args:
  - "message"
  - "@timestamp"
alert_text: "Test {0}  123 {1} bb"
alert_text_args:
  - "message"
  - "@timestamp"
filter:
  - query:
      query_string:
        query: "message:Quit"
generate_kibana_discover_url: true
import: "BaseRule.config"
index: "mariadblog-*"
is_enabled: true
name: "a"
num_events: 1
realert:
  minutes: 5
slack_channel_override: "#abc"
slack_emoji_override: ":ghost:"
slack_ignore_ssl_errors: false
slack_msg_color: "danger"
slack_parse_override: "none"
slack_timeout: 10
slack_title_link: "http://127.0.0.1:8080/rules/a"
slack_webhook_url: "https://hooks.slack.com/services/**********"
slack_username_override: "elastalert"
terms_size: 50
timeframe:
  minutes: 5
timestamp_field: "@timestamp"
timestamp_type: "iso"
type: "frequency"
use_strftime_index: false

[nsano-rururu]

@keny2021

Read the elasticsearch docs, not the elasticsearch docs https://elastalert.readthedocs.io/en/latest/ https://github.com/Yelp/elastalert/blob/master/README.md

[nsano-rururu]

I won't answer the question anymore. Do something about yourself.

[keny2021]

@nsano-rururu

Thank you for your replies. One last question, what is the content of your "BaseRule.config" file?

[nsano-rururu]

@keny2021

It is a configuration file of praeco of the web application that generates yaml from the screen with the rules of elastalert. Write settings that cannot be set on the screen in BaseRule.config. In this case slack webhook_url.

By the way, I'm the maintainer of praco. https://github.com/johnsusek/praeco

[keny2021]

@nsano-rururu that's interesting. Congrats on the Praeco app.

However I am still having issues with my query.

@rehannali How did you fix the issue 2754? what credentials have you used?

---

@rpotnuru , thanks for helping me out. Problem with credentials thats why it was unable to read index.

Originally posted by @rehannali in https://github.com/Yelp/elastalert/issues/2754#issuecomment-619937538

[nsano-rururu]

@keny2021

Is that so. Please do your best.

[rehannali]

@keny2021 You can use admin or root user password for it to work. I wouldn't recommend you to do it. So, you need to create special user and assign specific index and use that for connectivity.

[keny2021]

@rehannali Thanks for the quick response.

Could you please include the last version of the full code of your rule? Many thanks again

[rehannali]

@keny2021 code is like my issue you mentioned earlier. I only changed es_username and es_password with newly created user and password.

[keny2021]

@rehannali how did you create new user in elasticsearch?

[rehannali]

@keny2021 Did you enable security module in elastic search?

[keny2021]

@rehannali no it's not enabled. I need that to create new users, right?

[rehannali]

yes

[nsano-rururu]

If it is resolved, please close it

[keny2021]

This has been resolved. Timestamp was the culprit.